Have a customer that has several on prem MXs at multiple locations. They also have a VMX100 deployed in Azure. Layer 7 rules for countries is not available on the VMX but it is on the hardware MXs.
Question: What would be the best practice for blocking a particular country from the VMX ?
>Question: What would be the best practice for blocking a particular country from the VMX ?
The VMX is only used for terminating VPNs and nothing else. People don't usually implement country blocking for VPNs.
I am not very confident that country blocking applies to MX on-premise either.
@Kamome wrote:
I have both vMX and On-premise MXs, and I can't find L7 rules for countries neither of them. Could you show about that more particular?
For on-premises MX,
@Nash , thanks for that tip. Didn’t know we could do that
As @Netwow states, you do have to have an adv security license. (But my company ONLY sells MX with adv security.)
I'm broadly speaking not a fan of country-based blocking, even though we do it at a few financial customers because it makes their auditors happy. I don't think it's effective in a day and age where anyone can buy a prepaid credit card and spin something up at a cloud provider.
I do think it's effective at accidentally breaking things, especially in the case of some of Microsoft's IP space. Or just preventing access to useful things and increasing the risk of shadow IT.
Go to SD WAN>Firewall>Layer 7 > scroll to the very bottom and you should countries. I believe this requires an advanced security license .